NIH eyes PCI cards to boost security on its PCs and servers

'I have for a long time believed there are some basic security problems with IP.'

'NIH's Jack Jones

Olivier Douliery

The National Institutes of Health is evaluating a new hardware security device to enforce IT policy at its Bethesda, Md., campus.

Jack Jones, acting deputy director of the Center for Information Technology, said he hopes SiNic cards from Seclarity Inc. of Albuquerque, N.M., can take over user authentication and safeguard desktop communications on the NIH network.

'I have for a long time believed there are some basic security problems with IP,' Jones said. He cited in-band signaling and the fact that many security components rely on individual desktop configurations, which are difficult to control.

SiNic takes over firewall, authentication and encryption functions on PCs as well as servers. Even so, Jones still won't have control over desktop configurations, 'but I cease to care,' he said. Encryption does not stop out-of-band signaling, but it reduces the risk of interference as connections are set up and managed.

The SiNic PCI card appears to the host operating system as a traditional Ethernet network interface card, Seclarity CEO Adrian Vanzyl said. But it acts as a full Unix subsystem with its own software modules to enforce policies at network endpoints.

Because it operates autonomously, it cannot be bypassed and is unaffected by any compromise of the host machine. If the card is removed, the host cannot access the network. The card's functions are transparent to the host operating system, applications and user, and they require no user cooperation.

'The moment you have to retrain users or expect them to do things differently, things can and do go wrong,' Vanzyl said. 'If there is nothing for users to mess with, there is nothing for them to screw up.'

SiNic supports the Data Encryption Standard, Triple DES and Advanced Encryption Standard. It handles authentication with X509 digital certificates issued by a central command console, which also handles key distribution. There is point-to-point encryption between desktop system and server, without any action needed from the user.

The console also administers policy. It integrates with the Lightweight Directory Access Protocol and Microsoft Active Directory to set up access rights, which are pushed over the network to the users' cards. Access can be defined by host, user or workgroup.

Each console can manage tens of thousands of cards, Vanzyl said. The first prototype PCI cards came out early last year and the first production cards early this year.

The Defense Department helped fund development of a wireless version for notebook computers and handhelds, which is not yet available, Vanzyl said.

Jones said he is eyeing SiNic primarily to protect sensitive patient and financial information.

'I'm looking at piloting it locally at first,' he said. There is no timetable for the pilot. If the card is adopted, it probably would see limited implementation at NIH because 'it would cost too much to put it everywhere,' Jones said.

Price depends on volume and form factor. The PCI version costs $200 to $300 per card, and the wireless version will cost about $50 more. An unlimited site license for the command console is $10,000.

Strong authentication

Jones said the wireless version, when it becomes available, could provide strong authentication for mobile users'for example, doctors visiting patients. An upgrade of the hospital's management system could make new applications possible, too.

'We're major BlackBerry users here,' Jones said. But he is not sure NIH doctors will adapt well to mobile clinical applications. 'We've been looking at some table computers to see if we can produce a system that would be useful to them,' he said.

In the short run, winning over the institutes' systems administrators is a more urgent task.

'They're sort of wary so far,' Jones said. 'Introducing any new technology for the operations people represents potential headaches.'

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.